If our SIEM allowed us to define conditions to reset time window if conditions are met, I think we can do a lot better for cases like this one.
I try to think it another way likes if our SIEM solution allowed us to use attribute value pairs so we can use that as well. Says, we count +1 for each failed and -1 for each success in 10 minutes time window for example.
For your case, if it's only machine to machine activities can we ignore those activities using source IP & destination IP filters?
Just my two cents!